SB2025051942 - Dell APEX Cloud Platform for Red Hat OpenShift update for third-party components
Published: May 19, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 26 secuirty vulnerabilities.
1) Incorrect Regular Expression (CVE-ID: CVE-2022-40899)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing the Set-Cookie header. A remote attacker can send a specially crafted HTTP request to the application and perform a regular expression denial of service (ReDoS) attack.
2) Resource exhaustion (CVE-ID: CVE-2020-22916)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when decompressing files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2024-47611)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper validation of arguments passed via command line to the application. A remote attacker can pass specially crafted input to the application (e.g. using a command with Unicode characters in a filename) and execute arbitrary OS commands on the system.
4) Information disclosure (CVE-ID: CVE-2023-32681)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.
5) Information disclosure (CVE-ID: CVE-2024-37891)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to Prox-Authorization header is not stripped during cross-origin redirects when using urllib3's proxy support with ProxyManager. A remote attacker can gain obtain proxy credentials used by the library.
6) Resource exhaustion (CVE-ID: CVE-2024-2511)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to unbounded memory growth when processing TLSv1.3 sessions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that the non-default SSL_OP_NO_TICKET option is being used in TLSv1.3.
7) Command Injection (CVE-ID: CVE-2024-6923)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of newlines for email headers when
serializing an email message. A remote attacker can inject arbitrary headers into serialized email messages.
8) Race condition (CVE-ID: CVE-2024-3219)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a race condition within the socket module, which provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer.
9) Incorrect Regular Expression (CVE-ID: CVE-2024-6232)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of .tar archives when processing it with regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
10) Resource exhaustion (CVE-ID: CVE-2024-7592)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the 'http.cookies' standard library module when parsing cookies that contained backslashes for quoted characters in the cookie value. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
11) Out-of-bounds read (CVE-ID: CVE-2023-7104)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the sessionReadRecord() function in ext/session/sqlite3session.c when processing a corrupt changeset. A remote user can send a specially crafted request to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.
12) Code Injection (CVE-ID: CVE-2024-6345)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when processing URL in the package_index module of pypa/setuptools. A remote attacker can send a specially crafted request and execute arbitrary code on the target system via download functions.
13) Security features bypass (CVE-ID: CVE-2024-35195)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the session object does not verify requests after making first request with verify=False. A local administrator can bypass authentication.
14) Integer overflow (CVE-ID: CVE-2024-38796)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in PeCoffLoaderRelocateImage. A remote user on the local network can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) NULL pointer dereference (CVE-ID: CVE-2025-27113)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the xmlPatMatch() function in pattern.c. A remote attacker can pass specially crafted XML document to the affected application and perform a denial of service (DoS) attack.
16) Stack-based buffer overflow (CVE-ID: CVE-2025-24928)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the xmlSnprintfElements() function in valid.c. A remote attacker can pass specially crafted XML data to the application, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Use-after-free (CVE-ID: CVE-2024-56171)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the xmlSchemaIDCFillNodeTables() and xmlSchemaBubbleIDCNodeTables() functions in xmlschemas.c. A remote attacker can pass specially crafted XML document to the application, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
18) Heap-based buffer overflow (CVE-ID: CVE-2025-31115)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the lzma_stream_decoder_mt() function. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
19) Integer overflow (CVE-ID: CVE-2025-3360)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow with the g_date_time_new_from_iso8601() function when parsing a long invalid ISO 8601 timestamp. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and perform a denial of service (DoS) attack.
20) Input validation error (CVE-ID: CVE-2024-31068)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper Finite State Machines (FSMs) in Hardware Logic. A local administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.
21) Input validation error (CVE-ID: CVE-2024-28047)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input. A local administrator can gain unauthorized access to sensitive information on the system.
22) Input validation error (CVE-ID: CVE-2024-39279)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient granularity of access control. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
23) Input validation error (CVE-ID: CVE-2024-25571)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A local administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.
24) Sequence of processor instructions leads to unexpected behavior (CVE-ID: CVE-2024-37020)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an error related to processing of Sequence of processor instructions. A local user can cause a denial of service condition on the target system.
25) Buffer overflow (CVE-ID: CVE-2024-31155)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the UEFI firmware. A local administrator can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
26) Buffer overflow (CVE-ID: CVE-2024-21859)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a boundary error in the UEFI firmware. A local administrator can trigger memory corruption and gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.